2.0.1 Segfault
Michael J. Hartwick
hartwick at hartwick.com
Wed Jan 30 19:32:17 CET 2008
Hi,
I know that this post may not contain all of the required information,
this is just to get things going while I investigate further.
I have had a problem with FreeRADIUS segfaulting intermittently for a
number of months which makes it hard to gather the required
information. The only thing that I found in all cases was the
numerous, empty Cisco-AVPair's in the packet. With it being a segfault
I suspect accessing a null pointer somewhere.
I have captured a packet that is causing this to occur and sure enough
it contains the numerous, empty Cisco-AVPair's. I have started it in
gdb now, the output of bt is below.
rad_recv: Accounting-Request packet from host w.x.y.z port 2903, id=213,
length=362
Service-Type = Framed-User
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
Cisco-AVPair = ""
NAS-Port-Type = Async
Connect-Info = "3120"
Calling-Station-Id = "NPANXXxxxx"
X-Ascend-PreSession-Time = 41
X-Ascend-Disconnect-Cause = Remote-End-Hung-Up
Acct-Session-Id = "00004E39"
Acct-Session-Time = 114
Framed-IP-Address = W.X.Y.Z
Acct-Link-Count = 1
Acct-Authentic = RADIUS
User-Name = "test at test.com"
NAS-Port = 1060
Called-Station-Id = "yyyxxxx"
Framed-Protocol = PPP
Acct-Terminate-Cause = User-Request
Acct-Input-Packets = 53
Acct-Output-Packets = 39
X-Ascend-Data-Rate = 26400
Acct-Delay-Time = 0
Acct-Input-Octets = 1431
Login-Service = PortMaster
Acct-Output-Octets = 9084
X-Ascend-Modem-SlotNo = 6
X-Ascend-Xmit-Rate = 31200
Acct-Status-Type = Stop
Segmentation fault
0x40297d8f in memcpy () from /lib/libc.so.6
(gdb) bt
#0 0x40297d8f in memcpy () from /lib/libc.so.6
#1 0x400289c1 in rad_attr2vp (packet=0x8177678, original=0x0, secret=0x8169168 "secret",
attribute=90, length=0, data=0x817887c "\004\006\n\001\001\226x\006\001\005")
at radius.c:1953
#2 0x40028df4 in rad_decode (packet=0x8177678, original=0x0, secret=0x8169168 "secret")
at radius.c:2386
#3 0x080539d4 in client_socket_decode (listener=0x8174960, request=0x8178898) at listen.c:697
#4 0x0805faab in request_pre_handler (request=0x8178898) at event.c:995
#5 0x08061e2d in radius_handle_request (request=0x8178898, fun=0x804d2b0 <rad_accounting>)
at event.c:2701
#6 0x0805ad21 in thread_pool_addrequest (request=0xffffffff, fun=0x8179f04) at threads.c:860
#7 0x08061510 in event_socket_handler (xel=0x8174f98, fd=13, ctx=0x8179f04) at event.c:2340
#8 0x40030c23 in fr_event_loop (el=0x8174f98) at event.c:412
#9 0x08061e03 in radius_event_process () at event.c:2696
#10 0x0805968f in main (argc=2, argv=0x2) at radiusd.c:381
#11 0x4022fd06 in __libc_start_main () from /lib/libc.so.6
I *think* that the problem might be the length=0 in the call to
rad_attr2vp(). If that is the case then something like:
if (length = 0) return NULL;
at line 1928 or so of radius.c might resolve the problem. Before I go
ahead and make that addition, am I on the right page or way off in
left field on this?
Michael
----------------------------------------------------------------------
Michael J. Hartwick, VE3SLQ hartwick at hartwick.com
Hartwick Communications Consulting (519) 396-7719
Kincardine, ON, CA http://www.hartwick.com
----------------------------------------------------------------------
More information about the Freeradius-Users
mailing list